Add example on how to allow access to files to team members depending on folder name

Question

Add example on how to allow access to files to team members depending on folder name

jide opened this issue 9 months ago · comments

Just had to do that. That is what I came up with :

create policy "Account members can insert" on storage.objects
    for insert
    to authenticated
    with check (
        bucket_id = '<your bucket name>'
        AND (storage.foldername(name))[1] IN (SELECT (account)::text FROM basejump.get_accounts_with_role() AS account)
    );

tiniscule · Answer 1 · Thu Dec 07 2023 01:42:17 GMT+0800 (China Standard Time)

There's a few open tickets on the Supabase side to make this easier - for now I think that would work just fine. I'm hoping they add the ability to add better metadata to uploads in the future. Right now they replace anything you add with their own internal metadata. But ideally later you'd be able to store the account_id in metadata.

One small otpimization you may want to make is to change it to add a SELECT to the start of your foldername query. From the RLS Performance docs that helps the query optimizer handle it a bit better.

tiniscule · Answer 2 · Thu Dec 07 2023 01:57:04 GMT+0800 (China Standard Time)

oh, I think what I would do there is instead look at the path tokens in storage.objects to avoid the join.

Otherwise it would look the same but that would get you out of a join. And then you wouldn't need the select in front (but you still want the select getting the basejump accounts)

path_tokens[1]::uuid

create policy "Account members can insert" on storage.objects
    for insert
    to authenticated
    with check (
        bucket_id = '<your bucket name>'
        AND (path_tokens[1]::uuid IN (SELECT (account)::text FROM basejump.get_accounts_with_role() AS account)
    );

I didn't run that to test, but something like that

Jidé · Answer 3 · Thu Dec 07 2023 03:58:12 GMT+0800 (China Standard Time)

Yeah I saw a number of issues about storage objects metadata.

Cool approach with tokens. Wouldn't have thought about that. I took the folder name thing straight from supabase base docs.

I think we must get rid of the text casting if the folder name is casted to uuid though, right ? :

create policy "Account members can insert" on storage.objects
    for insert
    to authenticated
    with check (
        bucket_id = '<your bucket name>'
        AND (path_tokens[1]::uuid IN (SELECT (account) FROM basejump.get_accounts_with_role() AS account))
    );

Jidé · Answer 4 · Thu Dec 07 2023 05:29:21 GMT+0800 (China Standard Time)

In fact that won't work if there are other folders with names that are not uuids, it will throw "ERROR: invalid input syntax for type uuid: xxxx", so casting to text is preferable.

tiniscule · Answer 5 · Thu Dec 07 2023 05:36:02 GMT+0800 (China Standard Time)

got it - yeah I made a few assumptions there about your setup that probably weren't helpful.

I can't think of a reason not to use the path tokens, so I'm surprised their docs used the folder name. I'll check it out.